Leveraging Risk Scoring for Threat Hunting: DomainTools Risk Score
As organizations grow their security strategies to include proactive tactics such as threat hunting, they are leveraging several different tools to accomplish their various tasks. High alert volumes commonly overwhelm lean security teams, and triaging alerts quickly so teams can prioritize is essential to keeping an incident from becoming a breach. As security professionals prepare to face the threats of the future, ensuring new sources of threat intelligence are delivered in ways that seamlessly work with today’s processes and platforms is critical to streamlining the analyst workflow and implementing proactive, prioritized threat response.
Let’s start at the very beginning
When analyzing how to effectively integrate new sources of intelligence into existing platforms and processes, the first thing to examine is the underlying problem you’re trying to solve. So, let’s start at the beginning: The “beginning” is never at the time of breach. It starts way before then. Often, an attack starts with a newly registered domain or when a passive domain becomes active. Bad actors register domains with malicious intent every day to enable phishing, malware, and spam campaigns. Sometimes, they weaponize these domains quickly, while other times they park them so attackers can fly under the radar until they are ready to strike. This leaves security analysts at a disadvantage, if they don’t have proactive security practices in place.
Evolving beyond knee-jerk incident response
Just as bad actors are operationalizing new methods of attack, security teams are increasingly implementing proactive strategies and tactics to head them off at the pass. Some SecOps teams employ externally focused threat hunters who crawl the web and leverage tools to lookout for online discussions and posts that could impact the business or customers.
According to Krebs on Security, organizations like Netflix are adopting proactive strategies such as searching through data leaks for credentials matching those of their customers and then forcing a password reset for their users. Why? Businesses like Netflix understand that with so many accounts these days, users often feel daunted by trying to remember so many usernames and passwords so they regularly recycle their credentials on other sites. Netflix understands it is possible that one username and one password can give a hacker the keys to a data kingdom.
Data is king in security. Though Netflix leverages this particular threat hunting tactic, there are other methods they can use for incident response and for external and internal threat hunting. One such method is enriching alerts in a SIEM with domain and DNS infrastructure intelligence and supplemental risk scoring. This can help prioritize alerts and detections to minimize false positives and ensure teams are tackling the right threats at the right times.
Proactive domain risk scoring
Risk scoring can help security operations teams establish a streamlined process for detecting and mitigating malicious domains before they damage, disrupt, or destroy an organization’s infrastructure.
Security analysts can leverage risk scores as predictive analytics to create hunting hypotheses, recreating potential threat campaigns— proactively identify risks to the network. Knowing that domains can lead to phishing and malware attacks, hunters can gather DNS data to identify risky domains out in the wild.
DomainTools’ Risk Score can be used to improve an organization’s existing threat intelligence processes and work in tandem with tools they use every day, within already-implemented SIEM, TIP, or SOAR solutions. Domain Risk Scores are determined by predictive analysis and machine learning algorithms, meaning that they are likely to quickly become threats. Analysts can use this to prioritize investigations and to create a “domain watchlist” to enable faster identification of newly active threats.
The magic of the DomainTools Risk Score
DomainTools Risk Score predicts how likely a domain is to be malicious, often before it is operationalized. This can reduce the window of vulnerability between the time a malicious domain is registered and when it is observed and reported publicly as a component of an attack. The Domain Risk Score algorithms analyze a domain’s association with known-bad infrastructure, as well as intrinsic properties of the domain that closely resemble those of known phishing, malware, and spam domains.
A Domain Risk Score is made up of two key attributes: the Threat Profile and the Proximity.
Threat Profile provides predictive analytics by giving security practitioners insight into which domains possess characteristics indicative of “malicious intent”. This enables defenders to take action to shut down an an attack pathway before it is deployed.
The Proximity score provides intel on if a domain is in a “bad neighborhood”, which could be indicative of a possible threat on the horizon. It does this by mapping the connected infrastructure of a given domain in relation to other known risky domains.
Domain Risk Score is available within DomainTools’ Iris and APIs, as well as within a specific Risk Score feed so that customers can leverage this data within their prefered solutions to enrich their findings and drive more effective risk calculations.
As SecOps teams mature, they are continuing to expand their capabilities—transitioning from reacting to network detections, to preemptively actioning indicators likely to become threats when detected in the network, and then to proactively identifying threats in the wild. Identifying the data your team can incorporate into existing processes and tools to place indicators in context of the risk they pose is critical to keeping pace with evolving threat actor tactics and preparing today’s threat mitigation tactics to respond to tomorrow’s threats.